Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Passing globals() as the context to a template render function exposes all global variables and functions to the template, including sensitive or dangerous objects. This makes it easy for attackers to access or execute code that should be hidden from templates.
Impact#
An attacker could exploit this to execute arbitrary Python code through the template, potentially leading to data theft, server compromise, or complete takeover of your application. This can result in unauthorized access, data breaches, and severe security incidents.